Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GitLab Patches Domain Hijacking Vulnerability

Open source Git repository management system GitLab has addressed a security hole that could have been exploited to hijack users’ custom domains and point them to malicious content.

GitLab Pages is a feature that allows users to create websites for their projects, groups or user accounts, and then connect them to custom domains and TLS certificates.

Open source Git repository management system GitLab has addressed a security hole that could have been exploited to hijack users’ custom domains and point them to malicious content.

GitLab Pages is a feature that allows users to create websites for their projects, groups or user accounts, and then connect them to custom domains and TLS certificates.

White hat hackers noticed that no validation was being performed to ensure that the custom domain added to a user’s Pages site was actually theirs.

A custom domain can be added to GitLab Pages by creating a new DNS A record with an IP address for a Pages server. Since no validation was performed when adding custom domains, an attacker could have identified domains with DNS records pointing to the GitLab Pages server and hijack those domains. When users visited the hijacked domains, they would have been served content from the attacker’s repository.

The attack worked against custom domains that were deleted by users but still had the DNS records for the GitLab server active.

Two researchers reported variations of this issue to GitLab via the company’s bug bounty program on HackerOne. GitLab initially decided not to fix anything, but it started taking action after the second report was submitted.

“Attacker can create fake GitLab account(s) using the email(s) from temporary/anonymous email services. Configure fake email addresses with git for further code commits. Create multiple repositories and add domain name from the vulnerable list. The attacker can then: 1) use the static websites as Command and Control centers for their malware / for other malicious intents, 2) phish the customers / visitors of the legitimate domain owners,” one of the researchers explained in the report submitted via HackerOne.

Proof-of-concept (PoC) exploits created by the researchers revealed that there had been hundreds of vulnerable domains.

Advertisement. Scroll to continue reading.

GitLab initially disabled the functionality for adding custom domains to GitLab Pages, and this week it rolled out a permanent fix by requiring users to verify ownership when adding a custom domain. Verification is done by adding a DNS TXT record containing a token provided by GitLab to the user’s domain.

Some users pointed out on Hacker News that the problem is similar to the issue that caused Let’s Encrypt last month to disable TLS-SNI-01 validation.

Related: Command Execution Flaw Affects Several Version Control Systems

Related: Hackers Can Use Git Repos for Stealthy Attack on Developers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.